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(57) ABSTRACT 

A secure computing system prevents unauthorized use of 
compressed video data stored in a first-in-first-out memory 
buffer in a set top box. A single integrated circuit includes a 
data processor and a chip identity read only register storing 
a unique chip identity number fixed during manufacture. The 
data processor encrypts the compressed video data stream 
using the chip identity number as an encryption key. This 
encrypted data is stored in and recalled from a FIFO buffer. 
The data processor then decrypts the recalled data employ- 
ing at least a part of the chip identity number as the 
decryption key. Using technique the compressed video data 
stream temporarily stored in compressed form in the FIFO 
buffer can only be employed by the particular data processor 
having the unique chip identity number. 

10 Claims, 5 Drawing Sheets 
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COMPRESSES VIDEO DECOMPRESSION resources to reverse engineer the security protocol. 

SYSTEM WITH ENCRYPTION OF Accordingly, these such fixed function set top boxes are 

COMPRESSED DATA STORED IN VIDEO considered secure. The future proposals for set top boxes 

BUFFER places the security assumption in jeopardy. The set top box 

S currently envisioned for the future would be a more capable 

This application claims priority under 35 USC §11 9(e) machine. These set top boxes are expected to enable plural 

(1) of Provisional Application No. 60/087,262, filed May 29, home entertainment options such as the prior known video 

1998. programming options, viewing video programming stored 

on fixed media such as DVD disks, Internet browsing via a 
TECHNICAL FIELD OF THE INVENTION 30 telephone or cable modem and playing video games down- 
line technical field of this invention is secure computing ***** via * e mod u em or via a video data stream. Enabling 
systems, especially computer systems that may execute after the ^ to P box to be programmed after installation greatly 
manufacture field provided programs secured to prevent the complicates security. It would be useful in the art to have a 
user from unauthorized use of selected computer services. se <™ e wav t0 enab ! e fie * d [^programming of set top boxes 
The computer system may also be fictionally reprogram- 15 Wltho * the kerarch y of Vlde0 Pn*nunmmg 
mable in a secure manner. secun y. 



BACKGROUND OF THE INVENTION 



SUMMARY OF THE INVENTION 



This invention is a secure computing system that prevents 
There are currently many methods to deliver video pro- 2Q unauthorized use of compressed video data stored in a 
gramming to a users television besides over the air broad- first-in-first-out memory buffer in a set top box. In a typical 
cast. Numerous service providers are available to supply this system, the set top box receives an encrypted video data 
programming to television viewers. Most of these service stream, such as representing a premium channel or pay-per- 
providers vend a hierarchy of services. Typically there is a view event. If the use is authorized, a data processor 
basic service for a basic fee and additional services available 2S decrypts this data for display. The video data stream is 
for an additional fee. The basic services typically include the typically transmitted in a compressed form to reduce the 
broadcast network programming, cable superstates, music necessary channel bandwidth. Current video compression 
and sports programming. These basic services are typically techniques do not compress data uniformly. It is known in 
supported by advertizing. These basic programming services the art to include fully transmitted video frames interleaved 
thus operate on the same economics as over the air broadcast 30 with differentially encoded frames and predictively encoded 
television. The additional services typically include the so frames. For this reason a uniform compressed video data rate 
called "premium" programming such as sports and movies. does not translate into a uniform decompressed video data 
These premium programming services are typically not ra te. Typical set top boxes employ off chip DRAM as a 
advertizer supported. These are perceived by the television first-in-first-out (FIFO) buffer to prevent the decompression 
user as higher value services and television users are willing 35 process from overflowing or underflowing. The memory bus 
to pay their service providers additional fees for these traffic between the data processor and the portion of memory 
services. The service provider passes much of this additional used as the FIFO buffer is subject to interception and 
fee to the content providers as their compensation for unauthorized use. 

supplying the programming. There may be one or several ^ data processor used m this invention is disposed on 

tiers of these premium services made available by the 40 a single integrated circuit This data processor includes a chip 
service providers. At the top of this programming hierarchy identity read only register s{odng a unique chip identity 
is pay per view programming. Pay per view programming number ^ unique ^ identity number ^ fixed during 
typically includes music concerts and sporting events per- mami f ac ture by, for example, laser probing or selective 
ceived as time sensitive and highly valuable by the televi- activation of fose or antifuse ]inks ia the chip identity 
sion users. Pay per view may also include video on demand, 45 registen data processor encrypts the compressed video 
where the television user requests a particular movie be data stream using at kast a rt of the chi Menti number 
supplied. This hierarchy of service exists for all current as an encryp tion key. This encrypted data is stored in the 
alternative methods of program delivery including television memory area as the FIF0 5uffer The data is recalled 

cable, over the air microwave broadcast and direct satellite from mcmory as nccded for video decompress i on . The data 
television. 50 processor then decrypts the recalled data employing at least 

Reception of such alternative programming services has a part 0 f the chip identity number as the decryption key. 
required an additional hardware appliance beyond the user Using technique compressed video data stream tern- 

provided television receiver since the beginning of cable porarily stored m compressed form in the FIF0 buffer can 
television. Initially this additional hardware appliance only be read by the particular data proccssor having the 
merely translated the frequency of the signal from the 55 unique chip identity number. Since the chip identity number 
transmission frequency to a standard frequency used in ^ unique to thal particular data proC essor, the video data 
broadcast television. Such a standard frequency is receivable cannot be processed by another data proceS sor, even another 
by the user provided television receiver. This additional identical ^ top box system vrt thout breaking the code . 
hardware appliance is commonly know as a "set top box" in encryption and decryption is transparent to the user requir- 
reference to its typical deployment on top of the television 6Q ing only a smaU additiona i processing capacity within the 
receiver. Current set top boxes handle the hierarchy of data processor 
security previously described. 

In the past these set top boxes have been fixed function BRIEF DESCRIPTION OF THE DRAWINGS 

machines. This means that the operational capabilities of the These and other aspects of this invention are illustrated in 
set top boxes were fixed upon manufacture and not subject 65 the drawings, in which: 

to change once installed. A person intending to compromise FIG. 1 is a block diagram of one embodiment of the 
the security of such a set top box would need substantial secure computing system of this invention; 
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FIG. 2 is an example memory map of the boot read only voice band modem 117 connected to telephone line 107; and 

memory of the digital media processor illustrated in FIG. 1; infrared receiver 119 capable of receiving the infrared 

FIG. 3 is an example memory map of the nonvolatile si S nak from infrared remote control 109. 

memory of the set top box illustrated in FIG. 1; Set top box 110 includes several output devices coupled 

w-vr A . * c , s to digital media processor 130. Video digital-to-analog con- 

F1G. 4 is an example memory map of the read write , • j j * * e i 

■11 . \ j ■ mo * verter 121 receives a video data stream from digital media 

memory illustrated in FIG. 1; processor 130 and supplies an corresponding video signal to 

FIG. 5 is a flow chart of the initial operation including the television receiver 151. Typically the desired video data 

operating system verification of the digital media processor stream is modulated upon a carrier having a frequency 

illustrated in FIG. 1; 1Q which television receiver 151 can normally receive. It is 

FIG. 6 is a flow chart of the process for verification of an contemplated that video media processor 130 in cooperation 

application to the set top box illustrated in FIG. 1; ^ video digital-to-analog converter 121 will be capable of 

FIG. 7 is a flow chart of the process of verification of a T^th * V ^tflu^V* i^T*' V P °?. f 

* up of set top box system 100 the particular format will be 

aowmoaaea application program; seJected 

to correspond to the capability of the particular 
FIG. 8 is a schematic diagram of a translation look aside 15 television receiver 151 employed. Audio digital-to-analog 
buffer preventing virtual memory relocation of a certain converter 123 receives an audio data stream from digital 
page of memory of the digital media processor of FIG. 1; media processor 130 and supplies a base band audio signal 
FIG. 9 is a flow chart of the process of encrypting and to audio system 153. It is contemplated that this audio signal 
decrypting compressed video data temporarily stored in mav encompass plural audio channels (i.e. left and right 
random access memory; and 20 channels for stereo). It is also contemplated that any par- 
FIG. 10 is a flow chart of the process of mode election in ***** ^ sour ?f ma y mt ; lude encoded audio data 
a hardware debugger/emulator. S * eams Suc \ as a " emative lan ^^ descriptive video or 
^ other separate audio programs (SAP). Note also that the 
DETAILED DESCRIPTION OF PREFERRED aud i° data stream will typically also be modulated on the 
EMBODIMENTS 25 same carrier as the video signal for reception and demodu- 
lation by television receiver 151. 
Hie set top box of the future will enable home entertain- ^ indulgent part of set top box 110 is digital media 
ment options such as the known video programming processor 130. Digital media processor 130 is preferable 
options, viewing video programming stored on fixed media embodied in a single integrated circuit. Note that in order for 
such as digital video disks (DVD), Internet browsing via a 3Q set top box 110 to be fully secure as intended in this 
telephone or cable modem and playing video games down- invention, central processing unit 131 and boot ROM 135 
loaded via the modem or via a video data stream. Such a must be located on the same integrated circuit. Digital media 
variety of capability can only be provided by a fully pro- processor 130 includes central processing unit 131. Central 
grammable data processor which can receive and run down- processing unit 131 is illustrated generically and is not 
loaded programs. This opens up a host of security issues. 35 intended to limit the structure employed. Central processing 
Since much of the utility of the system depends on being unit 131 preferably includes data processing capability for 
able to download various applications, the possibility also control functions required for selection of operating mode, 
exists for an unauthorized application being downloaded. channel tuning, security functions and the like. Central 
Such an unauthorized application may be deliberately writ- processing unit 131 preferably also includes digital signal 
ten to compromise the hierarchy of security. processing capability for decompressing compressed video 
t? „ L1 1 1 , : , . 4 4 , 40 and audio signals, decrypting encrypted video signals, con- 
Fully programmable set top boxes are vulnerable to three yerti ^ receivcd vidc0 6 t0 th 7 format of * thc uscr > s 

main types of attacks. An unauthonzed application may television receiver, operating as a "software" cable modem 

interact with the operating system, possibly bypassing secu- and voice band modem and demodulating the signal from 

nty. The set top box nonvolatile memory may be replaced infrared remote control 109. Central processing unit 131 

with modified resident applications, but with the original 45 ma y include a microprocessor and a digital signal processor, 

operating system. The nonvolatile memory may be replaced a single data processor capable of all the necessary functions 

with a new operating system. The most important item to or a multiprocessor. The exact nature of central processing 

protect is the operating system. If the operating system is un it, except for details noted below, is not relevant to this 

compromised, an unauthorized person can do almost invention. 

anything, including disguising the fact that the operating 50 Digital media processor 130 further includes chip identity 

system is compromised. register 133 Chip identity registcr 133 ^ a programmab i e 

FIG. 1 illustrates in schematic form the parts of a readable register holding an identity number unique to the 

versatile, programmable set top box system 100. Set top box integrated circuit embodying digital media processor 130. 

system 100 is responsive to inputs from: television cable This identity number is preferably implemented as taught in 

101; direct satellite receiver front end 103, digital video disk ss U.S. patent application Ser. No. 08/813,887 entitled 

(DVD) 105; an ordinary telephone line 107; and infrared "CIRCUITS, SYSTEMS, AND METHODS FOR 

remote control 109. These inputs are conventional and need UNIQUELY IDENTIFYING A MICROPROCESSOR AT 

not be more fully described here. Any interaction of these THE INSTRUCTION SET LEVEL" and filed Mar, 7, 1997, 

conventional inputs with the parts of this invention will be now U.S. Pat. No. 6,056,133 issued May 16, 2000. As 

more fully described below. 60 described in this patent application, the unique identification 

The central part of set top box system 100 is the set top code is formed in a read-only data register by laser probing 

box 110. Set top box 110 includes various interfaces for the following integrated circuit test. The unique chip identity 

inputs including: video analog-to -digital converter 111 con- number may be specified via selective blowing of fuse or 

nected to the television cable 101, which may optionally antifuse links or other techniques. This identity number 

include a cable modem; video analog-to -digital converter 65 permits a program to verify the exact identity of the par- 

113 connected to direct satellite receiver front end 103; a ticular digital media processor 130 used in the set top box 

DVD player capable of receiving and reading DVD 105; 110. 
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Digital media processor 130 includes boot read only 
memory (ROM) 135. Digital media processor 130 is con- 
structed so that central processing unit 131 begins executing 
program instructions stored within boot ROM upon each 
initial application of electric power. An exemplary memory 
map of boot ROM 135 is illustrated in FIG. 2. Those skilled 
in the art will realize that the exact order of storage of the 
various parts is not as important as the existence of the 
detailed data types. Boot ROM 135 includes self boot code 
201. Self boot code 201 is the program instructions initially 
executed by central processing unit 131 upon each initial 
application of electric power to digital media processor 130. 
In addition the known processes for initializing computer 
systems, self boot code 201 also includes verification pro- 
gram code 202. Verification program code 202 will be 
further described below in conjunction with FIG. 5. Boot 
ROM 135 also includes a public signature keys. These 
public signature keys include real time operating system 
(RTOS) public signature key 203, first application public 
signature key 205, second application public signature key 
206 to the Nth application public signature key 207. These 
public signature keys are employed in verification of the 
authorization of programs in a manner that will be further 
described below. 

Set top box 110 includes flash (electrically programmable 
read only memory) EPROM 141 bidirectionally coupled to 
digital media processor 130. Flash EPROM 141 serves as 
the nonvolatile memory for set top box system 100. This is 
known as a nonvolatile memory because it retains its con- 
tents when electric power is turned off. Nonvolatile memory 
is needed for the real time operating system (RTOS) and for 
resident applications. FIG. 3 illustrates an exemplary 
memory map of flash EPROM 141. Flash EPROM 141 
includes the real time operating system (RTOS) 210. RTOS 
210 includes program code enabling digital media processor 
130 to receive and process various data streams as they are 
received, Le. in "real" time. RTOS 210 also enables digital 
media processor 130 to respond to operator control via 
infrared remote control 109 and infrared receiver 119. RTOS 
210 includes a signature portion 211 whose use will be 
further described below. Flash EPROM 141 includes pro- 
gram code for the first resident application 220 with its 
corresponding signature portion 221. Likewise, flash 
EPROM 141 included program code for the second resident 
application 230 and its corresponding signature portion 231 
and program code for other resident applications to the Mth 
resident application 240 and its corresponding signature 
portion 241. Flash EPROM 141 optionally includes addi- 
tional public keys including N+lst public key 251, N+2nd 
public key 253 to N+Pth public key 255. These additional 
public signature keys are similar to the N public signature 
keys stored in boot ROM 135. Their use will be detailed 
below. 

Set top box 110 further includes dynamic random access 
memory (DRAM) 143 bidirectionally coupled to digital 
media processor 130. DRAM 143 is a volatile memory that 
serves as read/write memory to temporarily store transient 
data during normal operations. DRAM 143 is preferably 
embodied by synchronous memory employing a RAMBUS 
interface. FIG. 4 illustrates an exemplary memory map of 
DRAM 143, DRAM 143 stores the memory resident part 
261 of the real time operating system. Depending upon the 
particular status of set top box system 100 this memory 
resident part 261 of the RTOS may differ as known in the art. 
DRAM 143 stores the memory resident parts 263 of the 
currently running application or applications. These appli- 
cations may be resident applications stored in flash EPROM 
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141 or transient applications stored in other parts of DRAM 
143. Depending upon the status of set top box system 100, 
there may be various applications running and their imme- 
diately accessible parts will be stored in DRAM 143 for 

S faster access than from flash EPROM 141. DRAM 143 also 
stores transient data 265. This transient data 265 includes 
temporary data used by the various applications as well as 
the current control status as controlled by the user via 
infrared remote control 109 and infrared receiver 119. 

io DRAM 143 stores the program code of various transient 
applications such as first transient application 271, second 
transient application 273 to Qth transient application 275. 
Transient applications are those loaded via cable modem 
111, voice band modem 117 or DVD drive 115 that are 

15 intended for use only during the current session of set top 
box system 100. These may include video games, Internet 
browsing and the like. These transient applications are 
loaded into DRAM 143 each time they are used and then 
discarded. DRAM 143 also stores compressed video in a 

20 first-in-first-out (FIFO) buffer 280. Video data from televi- 
sion cable 101, direct satellite receiver front end 103 and 
DVD 105 will generally be transmitted in compressed form. 
This saves transmission bandwidth and storage space. One 
of the tasks of digital media processor 130 is to decompress 

25 the video data. Current video compression formats (such as 
MPEG2) and all contemplated future video compression 
formats are nonlinear. That is, the different portions of the 
video data stream are compressed to differing degrees. Thus 
a constant rate of received video data represents varying 

30 amounts of video. Following decompression, digital media 
processor must supply video data in a constant rate to be 
viewed. Compressed video FIFO buffer 270 is necessary to 
smooth out the variations in the rate of receipt. This permits 
the decompression process to neither overflow with too 

35 much compressed data nor underflow with no compressed 
data ready for decompression. This is possible because the 
compressed video data stream represents a constant rate 
video data stream that is to be viewed. Thus the overall 
average compressed video data rate corresponds to the 

40 constant real time viewing rate. 

FIG. 5 is a flow chart 300 of an example of digital media 
processor 130 operations controlled by boot ROM 135. 
Upon each initial application of electric power to set top box 
system 100, digital media processor begins executing the 

45 program stored in a predetermined location within boot 
ROM 135, Those portions of this program within boot ROM 
135 relevant to this invention are illustrated in FIG. 5. 
Program 300 first initializes digital media processor 130 
(processing block 301). This process would include clearing 

so registers and caches, setting the initial operating mode and 
the like, in a manner known in the art. Following initializa- 
tion of the processor, program 300 reads the signature 
portion 211 of RTOS 210 stored in flash EPROM 141 
(processing block 302). Program 300 next reads the RTOS 

55 public key 203 from boot ROM 135 (processing block 303). 
Next program 300 verifies the signature portion 211 of 
RTOS 210 (processing block 304). In accordance with the 
known art of public key encryption such as the RSA 
algorithm, signature portion 211 is produced by operating 

60 upon all of RTOS 210 with a secret private signature key. 
The original data of signature portion 211 is recovered by a 
reverse process employing RTOS public signature key 203 
stored in boot ROM 135. This signature verification process 
takes into account what is know as a "trap door" function. 

65 It is a very difficult process to produce a particular signature 
portion knowing only the public key. A change of any 
portion of RTOS 210 is very likely to result in a change in 
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the signature portion 211 in a manner that cannot be pre- 
dicted from only the RTOS public signature key 203. Thus 
it is possible to detect any change in RTOS 210 employing 
the signature portion 211. 

Following the verification, program 300 tests the verified 
signature portion to determine if RTOS 210 supports secure 
applications (decision block 305). This invention contem- 
plates that digital media processor 130 could be embodied in 
applications not requiring the security of set top boxes. In 
such applications, the verified signature portion 211 indi- 
cates that the RTOS need not be secured. Note that even a 
non-secure RTOS must have its stub verified. Failure of the 
signature verification is fatal whether the RTOS is secure or 
non-secure. Program 300 bypasses other steps and starts 
RTOS 210 (processing block 310) if this signature portion 
211 indicates a non-secure use. This will typically involve 
loading at least a portion of RTOS 210 into DRAM 143. It 
is anticipated that DRAM 143 will allow much faster 
memory access than flash EPROM 141. Thus loading por- 
tions of RTOS 210 into DRAM 143 will enable faster 
operation. 

If the verified signature portion indicates that RTOS 210 
is to support secure applications (decision block 305), then 
program 300 tests to determine if RTOS 210 can be verified 
as correct (decision block 306). As described above, the trap 
door function of the private key signature with public key 
signature makes it a very difficult task to modify. RTOS 210 
without producing an unpredictable modification of signa- 
ture portion 211. Thus the initial program stored in boot 
ROM 135 will almost certainly be able to detect unautho- 
rized modification of RTOS 210. This verification of RTOS 
210 permits the vendor of set top box system 100 to be 
confident of the security of the system. 

If the verified signature portion is not verified as secure, 
then program 300 indicates that RTOS 210 is non-secure 
(processing block 307). Thereafter program 300 takes reme- 
dial action (processing block 308). This remedial action can 
take many forms. At the most severe, this remedial action 
could be complete disablement of set top box 110. Shutting 
down media processor 130 will disable set top box 110 since 
it is the intelligence of set top box 110. In most secure 
applications running a non-verified RTOS would be consid- 
ered very dangerous and the only reasonable remedial action 
is disabling set top box 110. In a few cases a less severe 
remedial action may be appropriate. As a less severe reme- 
dial measure, digital media processor 130 could be pro- 
grammed to no longer interact with video data streams from 
television cable 101, direct satellite receiver front end 103 
and/or DVD 105. This mode may permit running local only 
transient applications. The remedial action could include 
signaling the set top box vendor or service provider of the 
security violation via cable modem 111 or voice band 
modem 117. The recipient of this notification could then 
determine either automatically or manually how to deal with 
the security violation. One method of responding to such a 
notification of a security violation is to download via cable 
mode 111 or voice band modem 117 an authorized copy of 
the RTOS for storage in flash EPROM 143, overwriting the 
unauthorized copy. Another method is to download a diag- 
nostic program which will verify and determine the extent of 
the security violation. At the least severe level most suitable 
for service providers who supply only advertiser supported 
program material, is to ignore the security violation and 
permit operation of the non-secure RTOS. 

If the verified signature portion is verified as secure, then 
program 300 indicates that RTOS 210 as verified 
(processing block 309). Thereafter program 300 starts 
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operation of RTOS 210 (processing block 310). As described 
above this would typically involve copying at least portions 
of RTOS 210 from flash EPROM 141 to DRAM 143. 
Following such a copying, program control would be trans- 

5 ferred to the RTOS copy in DRAM 143 via a jump instruc- 
tion. RTOS 210 then enables all the authorized functions of 
set top box system 100. 

The entire RTOS could be encrypted using the private key 
as an alternative to employing merely a signature verifica- 

10 tion process. The steps illustrated in FIG. 5 would be similar 
except that the entire RTOS must be decrypted using the 
public key rather than just the signature portion. In this 
event, the decrypted RTOS would be copied to a operating 
portion of DRAM 143 upon verification. Thereafter program 

15 control would be passed to this copy of the RTOS from the 
boot ROM program via a jump instruction. In this case a 
non-verified RTOS even if copied into the same part of 
DRAM 143 will not operate. An incorrect decryption of an 
unauthorized RTOS 210 would likely result in an inoperable 

20 operating system. Thus the remedial action is this case 
disables set top box 110. Note the use of a private key to 
encrypt and a public key to decrypt is the reverse of the usual 
private key/public key system. Currently, only the RSA 
system is known to permit this reverse use. 

25 FIG. 6 is a flow chart 400 of an example of digital media 
processor 130 operations when called to load and run a 
resident application. Following the command to start the 
resident application program (processing block 401), pro- 
gram 400 reads the corresponding signature portion of the 

30 resident application stored in flash EPROM 141 (processing 
block 402). 

Program 400 next reads the corresponding public key 
from boot ROM 135 or flash EPROM 141 (processing block 

35 403). As noted above in the memory maps of boot ROM 135 
and flash EPROM 141, the public keys for resident appli- 
cation programs may be stored in boot ROM 135 or in flash 
EPROM 141. Alternatively, set top box 100 may be con- 
structed so that the public keys for some resident applica- 

40 tions are stored in boot ROM 135 and the public keys for the 
remaining resident applications are stored in flash EPROM 
141. Next program 400 verifies the signature portion of the 
resident application (processing block 404). This signature 
verification process is the same as previously described in 

45 conjunction with verification of RTOS 210. 

Following the verification, program 400 tests the verified 
signature portion to determine if the resident application 
supports security (decision block 405). It is contemplated 
that any resident application that interacts with program 

50 content received from television cable 101, direct satellite 
receiver front end 103 or DVD 150 will require security. 
Other resident applications may require security at the 
option of the application program vendor. Program 400 
bypasses other steps, loads the resident application into 

55 DRAM 143 and starts the application program (processing 
block 410) if this signature portion indicates a non-secure 
use. 

If the verified signature portion indicates that the resident 
application is to support secure applications (decision block 

60 405), then program 400 tests to determine if the resident 
application can be verified as correct (decision block 406). 
The trap door function of the private key encryption with 
public key decryption makes it a very difficult -task to 
modify the resident application program without producing 

65 an unpredictable modification of signature portion, thus 
enabling verification of the authorization of the resident 
application. 
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If the signature portion is not verified as secure, then (decision block 509), then program 500 tests to determine if 

program 400 indicates that the resident application is non- the downloaded application can be verified as correct 

secure (processing block 407). Thereafter program 400 takes (decision block 511). The trap door function makes it a very 

remedial action (processing block 408). This remedial action difficult task to modify the downloaded application program 

could be any of the many forms described above. 5 without producing an unpredictable modification of signa- 

If the signature portion is verified as secure, then program ture portion, thus enabling verification of the authorization 

400 indicates that the resident application as verified 0 f the downloaded application program, 

(processing block 409) Thereafter program 400 starts the downloaded application program is not verified as 

resident apphcati on by transferring at least part of its pro- t , A . . U1 * , cim & cnn • t 

gram code to DRAM 143 and transferring control via a jump 10 «T£ (f™ block 510), then program 500 indicates 

Ltruction. It is contemplated that resident application 'pro- 10 * at ■ ^ otde * a PP hcatl0n * non-secure (processing 

grams will have access to less than all of the digital media block 507) Thereafter program 500 takes remedial action 

processor functions accessible via RTOS 210. (processing block 508). This remedial action could be any of 

THe entire resident application could be encrypted using * e ^ forms de f ribe , d ^ ^ may include making a 
the private key as described above. The steps illustrated in further attem P t to download this application program. 
FIG. 6 would be similar except that the entire resident If the downloaded application is verified as correct 
application must be decrypted using the public key rather (decision block 510), then program 500 indicates the down- 
than just the signature portion. As previously described, loaded application is secure (processing block 511). There- 
using this technique means that an unauthorized program after program 500 stores and runs the downloaded applica- 
will probably crash and disable set top box 110. tion program (processing block 512). As described above, 

FIG. 7 is a flow chart 500 of an example of verification of this stora g e wUl be in flash EPROM 141 if the application 

a downloaded program. Following the command to start 15 a resident application or in DRAM 143 if the application 

downloading an application program (processing block * a transient application. Program 500 starts the down- 

501), program 500 downloads the application as stores it in loaded plication program by transferring at least part of its 

DRAM 143 (processing block 502). Then program 500 25 program code to DRAM 143 and transferring control via a 

reads the corresponding signature portion of the downloaded J um P instruction. 

application stored in DRAM 143 (processing block 503). The entire downloaded application program could be 

Program 500 next reads the corresponding public key from encrypted using the private key as described above. The 

boot ROM 135 or flash EPROM 141 (processing block 504). steps illustrated in FIG. 7 would be similar except that the 

As noted above in the memory maps of boot ROM 135 and 30 entire downloaded application must be decrypted using the 

flash EPROM 141, the public keys for resident application Public key rather than just verifying the signature portion. As 

programs may be stored in either boot ROM 135 or in flash previously described, using this technique means that an 

EPROM 141. Next program 500 runs signature verification unauthorized program will probably crash and disable set 

on the downloaded application program (processing block top box 110. 

505). This signature verification process is the same as 3S This security technique relies upon the security of boot 

previously described in conjunction with verification of ROM 135. Since boot ROM 135 is located on the same 

RTOS 210. A secure application program will have a sig- integrated circuit as the other parts of digital media proces- 

nature portion that permits verification of the entire down- sor 130 and it is a read-only, it is not subject to unauthorized 

loaded application program. A non-secure application pro- change. Therefore the verification function cannot be 

gram will have a verifiable signature stub. 40 changed to verify a unauthorized RTOS. Many of the 

Program 500 next tests to determine if the signature or Ha security functions will be available only to the RTOS based 

signature stub has been verified (decision block 506). If the upon program privilege levels. Thus most security functions 

signature or signature stub has not been verified as proper, cannot be easily compromised. The private key used for 

then program 500 would indicate a security violation encryption will only be known to the RTOS supplier, or only 

(processing block 507) and take remedial action (processing 45 to the manufacturer of digital media processor 130. In 

block 508). This remedial action could be any of the many addition the public key needed to verify the signature or to 

forms described above. In addition, another possible reme- decrypt the RTOS is also in the boot ROM. This prevents 

dial action in this instance is to make an a further attempt to substitution of another public key in an attempt to cause 

download this application. Thus program 500 could loop digital media processor 130 to verify an unauthorized RTOS. 

back to processing block 502 to repeat the download. This 50 Additionally, the resident applications are also secure. The 

remedial action would permit recovery if an authorized private keys for resident applications can be known only by 

application was corrupted, such as by noise or the like, the application owner, or by the service provider who 

during download. If this option is used, it is preferable to authorizes the application. 

abort this loop after a predetermined number of signature The above private key/public key signature verification 

verification failures. 55 system will protect against most security attacks. However, 

Following successful verification of the signature or sig- if the private key used to authenticate the RTOS is 

nature stub, program 500 tests the verified signature portion compromised, the security may be defeated by replacing the 

to determine if the downloaded application supports security RTOS with an unauthorized RTOS which will still look 

(decision block 509). Program 500 bypasses other steps, authentic. 

stores and runs the downloaded application program 60 The simplest way to detect a modified RTOS would be to 

(processing block 512), if this signature portion indicates a check the resident RTOS against the authorized program. An 

non-secure use. Note that the downloaded application pro- application program, such as a diagnostic program, could 

gram may be loaded into flash EPROM 141 if it is intended read certain memory locations in the RTOS to see if they 

to be another resident application or into DRAM 143 if it is contain the expected values. This may not always reveal 

intended to be a transient application. 65 unauthorized substitution of another RTOS. Many complex 

If the verified signature portion indicates that the down- data processors such as would be used to embody digital 

loaded application program supports secure applications media processor 130 support virtual memory. In a virtual 
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memory environment, the RTOS is quite capable of visu- 
alising itself. Thus the unauthorized RTOS would intercept 
the confirming read attempts and return the results that the 
diagnostic application expects from a copy of the authorized 
RTOS. However, this unauthorized RTOS would run instead s 
of the original RTOS consequently compromising security. 
The present inventors propose a technique which assures 
that an application can access a portion of memory directly 
without being intercepted and translated to a virtual address 
by the RTOS. 10 

FIG. 8 illustrates in block diagram form a translation 
look-aside buffer (TLB) 137 having a locked page in accor- 
dance with this invention. Virtual memory applications 
translate a virtual address into a physical address. As is 
known in the art, TLB 137 receives a virtual address on bus 15 
601 and supplies a corresponding physical address on bus 
602. A predetermined number of most significant address 
bits of the virtual address are supplied to a plurality of 
comparators 621, 623, 625 and 627. The remaining least 
significant address bits of the virtual address on bus 601 are 20 
passed unchanged to the corresponding bits of physical 
address on bus 602. Each comparator 621, 623, 625 and 627 
has a corresponding virtual address register 611, 613, 615 
and 617, respectively. The comparators 621, 623, 625 and 
627 determine if the predetermined number of most signifi- 25 
cant bits of the virtual address on bus 601 matches the 
contents of the respective registers 611, 613, 615 and 617. 
Each comparator 621, 623, 625 and 627 supplied match 
indication to multiplexer 650. Multiplexer 650 supplies the 
predetermined number of most significant bits from one of 30 
the physical address registers 641, 643, 645 and 647. The 
physical address register selected by multiplexer 650 corre- 
sponds to the comparator 621, 623, 625 or 627 detecting a 
match. These most significant physical address bits selected 
by multiplexer 650 are supplied to the most significant bits 35 
of the physical address on bus 602. Thus TLB 137 substi- 
tutes a predetermined number of bits of a physical address 
for the same number of bits of the virtual address. The 
number of possible substitutions enabled by the virtual 
address register and its corresponding comparator and physi- 40 
cal address register is limited only by considerations of 
operation code space to access the registers and the amount 
of space occupied by the TLB 137. In the prior art, virtual 
address registers 611, 613, 615 and 617 and physical address 
registers 641, 643, 645 and 647 are alterable via software. 45 
Thus the real time operating system has control of the 
mapping of virtual addresses to physical addresses. 

In this invention one of the virtual address registers and 
the corresponding physical address register are fixed upon 
manufacture. In the preferred embodiment this pair of reg- 50 
isters are mask programmable at metal layers, permitting the 
locked page to be selected upon manufacture of the inte- 
grated circuit including TLB 137 but unalterable following 
manufacture. FIG, 8 illustrates a fixed virtual address reg- 
ister 611 and its corresponding fixed physical address reg- 55 
ister 641. In the preferred embodiment the virtual address 
stored in fixed virtual address register 621 equals the physi- 
cal address stored in fixed physical address register 641. In 
the preferred embodiment, the critical code to be protected 
from relocation will be stored in flash EPROM 141 within 60 
the boundary of physical addresses covered by this virtual 
address register. Attempts to write to either fixed virtual 
address register 611 or fixed physical address register 641 
will fail because these registers are fixed in hardware. 
Preferably there will be no faults or errors generated by an 65 
attempt to modify these registers. Alternatively, neither the 
fixed virtual address register 611 nor the fixed physical 
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address register 641 are accessible via the instruction set 
architecture. Since the reason thai fixed virtual address 
register 611 or fixed physical address register 641 are fixed 
is to prevent alteration, no access via the instruction set 
architecture would ever be required. 

A further feature of this invention is illustrated in FIG. 8. 
Note that the match indication from comparator 621 is 
supplied directly to multiplexer 650. The match indication 
from other comparators form the noninverting input to 
respective AND gates 633, 63and 637. Each of these AND 
gates 633, 635 and 637 receives the match indication from 
comparator 621 on an inverting input. Thus a match indi- 
cation from comparator 621 prevents supply of a match 
indication to multiplexer 650 from any other comparator. 
This prevents an unauthorized person from leaving the 
original RTOS in place to respond to security queries while 
attempting to run an unauthorized RTOS from a relocated 
part of memory. Any memory accesses to the physical 
memory addresses of virtual address register 611 and physi- 
cal address register 641 cannot be relocated but are directed 
to the physical address of the original RTOS. 

With this invention an unauthorized attempt to relocate 
the RTOS may occur, but no actual address translation will 
take place. Thus if the original RTOS is always located in 
this memory area, a diagnostic program can read signature 
locations with assurance that the original physical locations 
are being accessed. Thus the diagnostic program can deter- 
mine if the RTOS is compromised, and take appropriate 
remedial action. This remedial action may include any of the 
remedial actions previously described. 

The set top box 100 illustrated in FIG. 1 includes an 
additional potential security problem. DRAM 143 stores a 
video data stream that has been decrypted but not decom- 
pressed. This video data is stored in compressed video FIFO 
buffer 280. It is possible for an unauthorized person to 
intercept this data as it is being transferred from digital 
media processor 130 to DRAM 143 or as it is being 
transferred from DRAM 143 and digital media processor 
130. These data transfers will be interleaved with other data 
traffic between digital media processor 130 and DRAM 143, 
but it is feasible to separate the compressed video data. 
Because the video is compressed, a minimal amount of 
memory would be required to store this data. Some content 
providers would like to prevent their video programming 
from such interception. Note that interception of the video 
data stream at this point would permit generation of plural, 
identical and immediately viewable copies of the video. 

FIG. 9 illustrates in flow chart form a process preventing 
such unauthorized interception. Following reception of the 
video data stream (processing block 701) digital media 
processor 130 decrypts the video data stream (processing 
block 702). This decryption is subject to security procedures 
to ensure that the user is authorized to view this video data 
stream. Following this decryption of the source program, 
digital media processor encrypts the video data stream again 
(processing block 703). In this instance a relatively simple 
encryption is used, such as a simplified DES algorithm. The 
encryption key is preferably derived from the chip identity 
number stored in chip identity register 133. This encrypted 
data is stored in compressed video FIFO buffer 280 
(processing block 704). At the appropriate time, the video 
data is recalled from compressed video FIFO buffer 280 
(processing block 705). The recalled data is decrypted using 
the encryption key derived from the chip identity number 
(706). This data is then ready for further processing 
(processing block 707). 

This technique has the advantage that the compressed 
video data stream temporarily stored in compressed video 
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FIFO buffer 280 can only be read by the particular digital 
media processor 130. The chip identity number is unique to 
that particular digital media processor. The video data can- 
not be viewed by any other means, even another identical set 
top box system 100 without breaking the code. This is 
believed adequate security by most content providers. 
Additionally, the encryption and decryption is transparent to 
the user. There only needs to be a small additional process- 
ing capacity available within digital media processor 130 
beyond the minimal requirement of the particular applica- 
tion. 

Another potential security problem is created by the 
hardware debugger/emulator. The, semiconductor manufac- 
turer of digital media processor 130 will generally also sell 
hardware debugger/emulator systems to application pro- 
gram developers, including operating system developers. 
Generally such hardware debugger/emulator systems by 
design have unlimited access to all of memory, including 
"private" areas. Thus a hardware debugger/emulator system 
of the type known in the art would permit unauthorized 
breach of the security of set top box system 100. 

The following modification to the hardware debugger/ 
emulator system will guard against this potential security 
problem. The hardware debugger/emulator will operate in 
two modes, a process mode and a raw mode. In the process 
mode, the hardware debugger/emulator may only access a 
particular process or application program. All system access 
is permitted in the raw mode. 

FIG. 10 is a flow chart illustrating the process of selecting 
the mode at the hardware debugger/emulator. Upon start of 
the hardware debugger/emulator (processing block 801), 
process 800 reads the signature portion 211 of RTOS 210 
stored in flash EPROM 141 (processing block 802). Process 
800 next reads the RTOS public key 203 from boot ROM 
135 (processing block 803). Next process 800 verifies the 
signature portion 211 of RTOS 210 (processing block 804). 
Following the verification, process 800 tests the verified 
signature portion to determine if RTOS 210 supports secure 
applications (decision block 805). As previously described, 
digital media processor 130 could be embodied in applica- 
tions not requiring the security of set top boxes. In such 
applications, the verified signature portion 211 indicates that 
the RTOS need not be secured. If this is the case, then 
process 800 bypasses other steps activates the hardware 
debugger/emulator in raw mode (processing block 806). 

If the RTOS supports secure applications (decision block 
805), then process 800 checks to determine if the chip 
identity number stored in chip identity register 133 is of the 
subset of possible chip identity numbers that permit the raw 
mode for secure applications (decision block 807). Some 
program developers, particularly RTOS developers, will 
need access to the raw mode of the hardware debugger/ 
emulator. This invention contemplates that a bit or bits or 
some subset of the possible coding of the chip identity 
number will be reserved for hardware debugger/emulators 
supporting this use. Thus only a certain limited number of 
the digital media processors 130 will permit raw mode 
operation of the hardware debugger/emulator in environ- 
ments supporting the security described above. The manu- 
facturer of digital media processor 130 will supply these 
particularly identified chips only to trusted program devel- 
opers. 

If the chip identity number does not permit raw mode 
operation (decision block 807), process 800 reads a token 
from the particular process or application program under 
development in the hardware debugger/emulator. Process 



800 then determines if this token is verified as proper 
(decision block 809). This process could take place using the 
private key encryption and public key decryption described 
above, or another verification procedure could be employed. 

s If the token is not verified (decision block 809), then process 
800 take appropriate remedial action (processing block 810). 
The various types of remedial action that could be taken 
have already been described. If the token is verified 
(decision block 809), then process 800 activates the hard- 

10 ware debugger/emulator in process mode (processing block 
811). In the process mode, the hardware debugger/emulator 
may only access a particular process or application program 
corresponding to the verified token. 

This process satisfies all the requirements of the users. 

15 Program developers who use digital media processor 130 in 
a nonsecure application will have complete access to the 
functions of the hardware debugger/emulator. Program 
developers who use digital media processor 130 in secure 
applications will have access limited. Most of those program 

20 developers will use the secure RTOS and have access only 
to their own programs as identified by the token encrypted 
with their corresponding private key. RTOS developers will 
have complete system access but only to particular digital 
media processors having the proper chip identity numbers. 

25 Thus the manufacturer of digital media processor 130 can 
have the proper level of control in order protect the security 
of set top box systems 100, 

The security inventions of this patent application have 
been described in conjunction with a particular type system 

30 requiring computer security, i.e. the set top box. Those 
skilled in the art would realize that the use of these security 
techniques are not limited to this example. Particularly, 
almost any computer system requiring that some functions 
have a degree of security may employ these techniques. 

35 What is claimed is: 

1. A secure computing system comprising: 

a data processor disposed on a single integrated circuit, 
said data processor including a read only memory 
storing a decryption key, and a chip identity read only 
40 register storing a unique chip identity number acces- 
sible by said data processor; 
a memory bidirectionally coupled to said data processor 
and storing data; 
45 said data processor being programmed to: 
receive encrypted and compressed data, 
decrypt said encrypted and compressed data employing 
said decryption key stored in said read only memory, 
employ said memory as a first-in-first-out buffer includ- 

50 in g 

encrypting said decrypted data employing at least a 
part of said chip identity number as encryption 
key, 

storing said encrypted data in said memory, 
55 recalling said stored data from said memory, and 

decrypting said recalled data employing at least a 

part of said chip identity number as decryption 

key, 

decompress said decrypted data recalled from said 
6Q memory, and 

output decompressed data. 

2. The secure computing system of claim 1, wherein: 
said chip identity read only register includes a plurality of 

bits, each bit capable of selective fixation by laser; and 
65 said unique chip identity number being fixed in manufac- 
ture by laser probing corresponding bits of said chip 
identity read only register. 
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3. The secure computing system of claim 1, wherein: 
said chip identity read only register includes a plurality of 

fuse links, each fuse link capable of selective activa- 
tion; and 

said unique chip identity number being fixed in manufac- 5 
ture by selective activation of a subset of said plurality 
of fuse links of said chip identity read only register. 

4. The secure computing system of claim 1, wherein: 
said chip identity read only register includes a plurality of 

antifuse links, each antifuse link capable of selective 
activation; and 
said unique chip identity number being fixed in manufac- 
ture by selective activation of a subset of said plurality 
of antifuse links of said chip identity read only register. ^ 

5. The secure computing system of claim 1, wherein: 
said encrypted and compressed data is a stream of video 

data. 

6. A method of secure computing comprising the steps of: 
disposing on a single integrated circuit a data processor, 20 

a read only memory storing a decryption key, and a 

chip identity read only register; 
storing a unique chip identity number accessible by said 

data processor in said chip identity read only register; 
receiving encrypted and compressed data; 
employing said data processor to decrypt said encrypted 

and compressed data employing said encryption key 

stored in said read only memory; 
employing a memory as a fiist-in-first-out buffer for said 30 

data processor including 

encrypting said decrypted data with said data processor 
employing at least a part of said chip identity number 
as an encryption key; 
storing said encrypted data in a memory; 35 
recalling said stored data from said memory; 
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decrypting said recalled data with said data processor 
employing at least a part of said chip identity number 
as a decryption key; 
employing said data processor to decompress said 

decrypted data recalled from said memory; and 
outputting said decompressed data from said data proces- 
sor. 

7. The method of secure computing of claim 6, wherein: 
said step of storing said unique read only chip identity 

number in said chip identity read only register includes 
constructing said chip identity read only register as a 

plurality of bits, each bit capable of selective fixation 

by laser, and 

laser probing selected bits of said chip identity read 
only register. 

8. The method of secure computing of claim 6, wherein: 
said step of storing said unique read only chip identity 

number in said chip identity read only register includes 
constructing said chip identity read only register as a 

plurality of fuse links, each fuse link capable of 

selective activation, and 
selective activation of a subset of said plurality of fuse 

links of a chip identity read only register. 

9. The method of secure computing of claim 6, wherein: 
said step of storing said unique read only chip identity 

number in said chip identity read only register includes 
constructing said chip identity read only register as a 

plurality of antifuse links, each antifuse link capable 

or selective activation, and 
selective activation of a subset of said plurality of 

antifuse links of a chip identity read only register. 

10. The method of secure computing of claim 6, wherein: 
said encrypted and compressed data is a stream of video 

data. 
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